Information Security Risk Management

SECTION 1: OVERVIEW
To protect the confidentiality and integrity of Saint Vincent College and Seminary data in compliance with applicable state and federal laws and regulations, a formal information security risk management policy has been established to consistently identify and track information security risks, implement plans for remediation, and provide guidance for strategic resource planning.

SECTION 2: PURPOSE
This policy provides a framework supporting effective organizational informational risk management specifically focused on ensuring the Confidentiality, Integrity, and Availability of institution’s data and technical resources.

SECTION 3: SCOPE
This applies to all Saint Vincent College and Seminary faculty, staff and students making use of Saint Vincent informational technology resources.

SECTION 4: POLICY STATEMENT
At least annually, the Data Security Coordinators, in cooperation with Saint Vincent leadership and business management, shall conduct a risk assessment to identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of information entrusted to Saint Vincent College and Seminary. Threats to consider include actions that could result in unauthorized disclosure, misuse, alteration, destruction or other compromise of information systems.

4.1  Risk Assessment
The risk assessment framework will consider the following elements:

• Identification of Information and the Information Systems to be Protected, including electronic systems and physical components used to store, access, transmit, protect, and eventually dispose of information. Information and information systems can be both paper-based and electronic-based.
• Threat Events - The risk assessment will outline and describe for consideration, various threat events with detailed descriptions of such events.
• Inherent Risk Rating - The risk assessors will determine the Probability of Occurrence and Probability of Impact for each of the Threat Events to determine the Inherent Risk Rating (Probability of Occurrence * Probability of Impact = Inherent Risk Rating).
• Probability and Impact Considerations – The reasoning behind the determination of the ratings will be documented in the risk assessment materials to further elaborate on management’s judgement process when assigning these ratings.
• Controls - The risk assessors will then discuss and document the various controls in place to mitigate each of the threat events considered in the risk assessment exercise.
• Mitigation Level - Depending on the nature of the controls in place, management may assign a Mitigation Level to each specific Threat Event, to illustrate the level of mitigation that is in place for each Threat Event considered.
• Residual Risk – The Residual Risk rating illustrates the risk rating after Controls are considered and a Mitigation Level is applied. Depending on the Mitigation Level applied, the inherent risk will either stay the same or be reduced.
• Deficiencies – Notable deficiencies identified during the risk assessment process will be documented.
• Mitigation Plans – Mitigation Plans, or plans of action, will be determined, and documented for the noted deficiencies.

• Adversarial
• Non-Adversarial
• Accidental
• Environmental

4.2  Risk Mitigation

Once the significant risks to information have been identified, a mitigation plan should be implemented, mitigation strategies may include:

• Prioritizing risks based on the identified residual risk.
• Identifying potential controls or processes to further reduce residual risk levels to an acceptable level.
• Analyzing the cost/benefit of adding additional controls or processes.
• Implementing additional controls or processes as needed.
• In instances where management does not decide to implement additional controls, to mitigate an elevated, residual risk, the rationale should be formally documented (risk acceptance).

4.3  Risk Monitoring

The Data Security Coordinators, in cooperation with College leadership and business management, shall regularly test or audit the effectiveness of the organization’s safeguards’ key controls, systems, and procedures, to ensure that all safeguards implemented as a result of the risk assessment are effective to control the risks identified in the risk assessment.

4.4 Risk Reporting

The risk assessment matrix shall be reviewed by the Data Security Coordinators, in cooperation with business management annually and revised as necessary to ensure safeguards are appropriate and/or implement new safeguards, as necessary. The results of the risk assessment, including mitigation plans and risk acceptance shall be presented to the Board of Directors on an annual basis. In addition, as the Data Security Coordinators, and business management identify or perceive new threats, or change their outlook on current threats, the risk assessment shall be updated to include these threats.

SECTION 5: THIRD-PARTY SERVICE PROVIDERS (VENDOR)

If a product or service will be outsourced, both the due diligence during the selection process and the ongoing oversight of the selected vendor will be based on the risk assessment framework provided above.

5.1  Third-Party Contracts

Formal contracts that address relevant security and privacy requirements must be in place for all third parties that process, store, or transmit confidential data or provide critical services. The following must be included in all such contracts:

• Acknowledgement that the third-party is responsible for the security of the institution’s confidential data that it possesses, stores, processes, or transmits.
• Stipulations that the third-party security controls are regularly reviewed and validated by an independent party.
• Specification of the recourse available to Saint Vincent should the third-party fail to meet defined security requirements.
• Articulation of the responsibilities for responding to direct and indirect security incidents including timing as defined by service-level agreements (SLAs).
• Specification of the security requirements for the return or destruction of data upon contract termination.
• Clear delineation of geographic limits on where data can be stored or transmitted.

5.1  Third-Party Review

In all cases where Saint Vincent’s sensitive data or critical services are provided to a third-party service provider, Saint Vincent must review the service provider's information security posture including internal controls on at least an annual basis. The evaluation of a third party may include the following items where applicable:

• Higher Education Community Vendor Assessment Tool (HECVAT)
• Audited financial statements, annual reports, SEC filings, and other available financial information.
• Significance of the proposed contract on the third-party’s financial condition.
• Experience and ability in implementing and monitoring the proposed activity.
• Business reputation of the Vendor (including reference checks with current customers).
• Qualifications and experience of Vendor’s principals.
• Strategies and goals, including service philosophies, quality initiatives, efficiency improvements; and employment policies.
• Existence of any significant complaints or litigation, or regulatory actions against the Vendor.
• Use of other parties or subcontractors by the Vendor.
• Scope of internal controls, systems and data security, privacy protections and audit coverage.
• Business continuity and disaster recovery plans.
• Adequacy of management information systems.
• SSAE 18 documentation.
• GDPR compliant assurance where applicable.
• Applicable Gramm-Leach-Bliley Act (GLBA) reviews; and,
• Insurance coverage.

Approved by: Fr. Paul Taylor, President
Approved Date: 6/23/2012
Effective Date: 6/23/2021
Revised Date(s): 8/25/2021
Author: Justin Fabin, CIO; Anthony Concannon, Network and Security Services Manager